| 4f0d95fa |
package daemon // import "github.com/docker/docker/daemon" |
| 9c4570a9 |
import ( |
| c4785536 |
"context"
|
| 9c4570a9 |
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/exec" |
| b940cc5c |
"github.com/docker/docker/oci/caps" |
| 790a81ea |
"github.com/opencontainers/runc/libcontainer/apparmor" |
| 07ff4f1d |
specs "github.com/opencontainers/runtime-spec/specs-go" |
| 9c4570a9 |
)
|
| ddae20c0 |
func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config, p *specs.Process) error { |
| 9c4570a9 |
if len(ec.User) > 0 { |
| 65a33d02 |
var err error
p.User, err = getUser(c, ec.User) |
| 9c4570a9 |
if err != nil {
return err
}
}
if ec.Privileged { |
| ddae20c0 |
if p.Capabilities == nil {
p.Capabilities = &specs.LinuxCapabilities{}
}
p.Capabilities.Bounding = caps.GetAllCapabilities()
p.Capabilities.Permitted = p.Capabilities.Bounding
p.Capabilities.Inheritable = p.Capabilities.Bounding
p.Capabilities.Effective = p.Capabilities.Bounding |
| 9c4570a9 |
} |
| 790a81ea |
if apparmor.IsEnabled() {
var appArmorProfile string
if c.AppArmorProfile != "" {
appArmorProfile = c.AppArmorProfile
} else if c.HostConfig.Privileged { |
| 8f3308ae |
// `docker exec --privileged` does not currently disable AppArmor
// profiles. Privileged configuration of the container is inherited |
| a33cf495 |
appArmorProfile = unconfinedAppArmorProfile |
| 790a81ea |
} else { |
| 5d040cbd |
appArmorProfile = defaultAppArmorProfile |
| 790a81ea |
}
|
| 5d040cbd |
if appArmorProfile == defaultAppArmorProfile { |
| 790a81ea |
// Unattended upgrades and other fun services can unload AppArmor
// profiles inadvertently. Since we cannot store our profile in
// /etc/apparmor.d, nor can we practically add other ways of
// telling the system to keep our profile loaded, in order to make
// sure that we keep the default profile enabled we dynamically
// reload it if necessary.
if err := ensureDefaultAppArmorProfile(); err != nil {
return err
}
} |
| 8f3308ae |
p.ApparmorProfile = appArmorProfile |
| 790a81ea |
} |
| c4785536 |
s := &specs.Spec{Process: p}
return WithRlimits(daemon, c)(context.Background(), nil, nil, s) |
| 9c4570a9 |
} |